istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove MTLS DR from Egress Gateway Task (#6795) 

* celan up destination rule differences for auto mtls on by default

* lint fixes
This commit is contained in:
Gregory Hanson 2020-03-06 15:12:56 -05:00 committed by GitHub
parent 797c0f19ac
commit 2adfb33c25
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
content/en/docs/tasks/traffic-management/egress/egress-control/index.md
View File

@ -236,8 +236,7 @@ In this example, you set a timeout rule on calls to the `httpbin.org` service.
httpbin.org external service:
{{< text bash >}}
$ kubectl exec -it $SOURCE_POD -c sleep sh
$ time curl -o /dev/null -s -w "%{http_code}\n" http://httpbin.org/delay/5
$ kubectl exec -it $SOURCE_POD -c sleep -- time curl -o /dev/null -s -w "%{http_code}\n" http://httpbin.org/delay/5
200
real 0m5.024s
@ -247,7 +246,7 @@ In this example, you set a timeout rule on calls to the `httpbin.org` service.
The request should return 200 (OK) in approximately 5 seconds.
1. Exit the source pod and use `kubectl` to set a 3s timeout on calls to the `httpbin.org` external service:
1. Use `kubectl` to set a 3s timeout on calls to the `httpbin.org` external service:
{{< text bash >}}
$ kubectl apply -f - <<EOF

200
content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
View File

@ -115,59 +115,6 @@ First create a `ServiceEntry` to allow direct traffic to an external service.
1. Create an egress `Gateway` for _edition.cnn.com_, port 80, and a destination rule for
traffic directed to the egress gateway.
Choose the instructions corresponding to whether or not you have
[mutual TLS Authentication](/docs/tasks/security/authentication/authn-policy/) enabled in Istio.
{{< tabset category-name="mtls" >}}
{{< tab name="mutual TLS enabled" category-value="enabled" >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: https
protocol: HTTPS
hosts:
- edition.cnn.com
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-cnn
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: cnn
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 80
tls:
mode: ISTIO_MUTUAL
sni: edition.cnn.com
EOF
{{< /text >}}
{{< /tab >}}
{{< tab name="mutual TLS disabled" category-value="disabled" >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
@ -196,10 +143,6 @@ First create a `ServiceEntry` to allow direct traffic to an external service.
EOF
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
1. Define a `VirtualService` to direct traffic from the sidecars to the egress gateway and from the egress gateway
to the external service:
@ -323,94 +266,6 @@ You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntr
1. Create an egress `Gateway` for _edition.cnn.com_, a destination rule and a virtual service
to direct the traffic through the egress gateway and from the egress gateway to the external service.
Choose the instructions corresponding to whether or not you have
[mutual TLS Authentication](/docs/tasks/security/authentication/authn-policy/) enabled in Istio.
{{< tabset category-name="mtls" >}}
{{< tab name="mutual TLS enabled" category-value="enabled" >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls-cnn
protocol: TLS
hosts:
- edition.cnn.com
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-cnn
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: cnn
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
sni: edition.cnn.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-cnn-through-egress-gateway
spec:
hosts:
- edition.cnn.com
gateways:
- mesh
- istio-egressgateway
tls:
- match:
- gateways:
- mesh
port: 443
sni_hosts:
- edition.cnn.com
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: cnn
port:
number: 443
tcp:
- match:
- gateways:
- istio-egressgateway
port: 443
route:
- destination:
host: edition.cnn.com
port:
number: 443
weight: 100
EOF
{{< /text >}}
{{< /tab >}}
{{< tab name="mutual TLS disabled" category-value="disabled" >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
@ -477,10 +332,6 @@ You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntr
EOF
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
1. Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics).
The output should be the same as before.
@ -660,39 +511,6 @@ external service.
1. Create the same destination rule as for the `sleep` pod in the `default` namespace to direct the traffic through the egress gateway:
Choose the instructions corresponding to whether or not you have
[mutual TLS Authentication](/docs/tasks/security/authentication/authn-policy/) enabled in Istio.
{{< tabset category-name="mtls" >}}
{{< tab name="mutual TLS enabled" category-value="enabled" >}}
{{< text bash >}}
$ kubectl apply -n test-egress -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-cnn
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: cnn
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
sni: edition.cnn.com
EOF
{{< /text >}}
{{< /tab >}}
{{< tab name="mutual TLS disabled" category-value="disabled" >}}
{{< text bash >}}
$ kubectl apply -n test-egress -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
@ -706,10 +524,6 @@ external service.
EOF
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
1. Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics). Now it should succeed
since the traffic flows to `istio-egressgateway` in the `istio-system` namespace, which is allowed by the
Network Policy you defined. `istio-egressgateway` forwards the traffic to `edition.cnn.com`.
@ -719,13 +533,17 @@ external service.
200
{{< /text >}}
1. Check the statistics of the egress gateway's proxy and see a counter that corresponds to our
requests to _edition.cnn.com_. If Istio is deployed in the `istio-system` namespace, the command to print the
counter is:
1. Check the log of the egress gateway's proxy. If Istio is deployed in the `istio-system` namespace, the command to
print the log is:
{{< text bash >}}
$ kubectl exec $(kubectl get pod -l istio=egressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}') -c istio-proxy -n istio-system -- pilot-agent request GET stats | grep edition.cnn.com.upstream_cx_total
cluster.outbound|443||edition.cnn.com.upstream_cx_total: 2
$ kubectl logs -l istio=egressgateway -n istio-system
{{< /text >}}
You should see a line similar to the following:
{{< text plain >}}
[2020-03-06T18:12:33.101Z] "- - -" 0 - "-" "-" 906 1352475 35 - "-" "-" "-" "-" "151.101.193.67:443" outbound|443||edition.cnn.com 172.30.223.53:39460 172.30.223.53:443 172.30.223.58:38138 edition.cnn.com -
{{< /text >}}
### Cleanup network policies